Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ec2_ami: create tags on ami at point of creation #550

Closed
1 task done
andytson opened this issue Oct 24, 2021 · 4 comments · Fixed by #551
Closed
1 task done

ec2_ami: create tags on ami at point of creation #550

andytson opened this issue Oct 24, 2021 · 4 comments · Fixed by #551
Labels
action action plugin feature This issue/PR relates to a feature request has_pr module module plugins plugin (any type)

Comments

@andytson
Copy link

andytson commented Oct 24, 2021

Summary

I am trying to use the principals of least privilege to limit an ansible play in CI to only being able to manage the AWS resources that it itself creates.

I do that by creating a tag on each resource when its created to signify ownership.

on the ec2_ami module, it appears to only create the tags after the image has finished snapshotting. This means:

  • if the ansible play fails to complete during snapshotting, the tags are not added
  • ec2:CreateAction = 'CreateImage' condition isn't available to be matched by the IAM policy, meaning only a policy that allows tagging all AMIs is possible, breaking the security of it

The CreateImage api call supports passing tag specification

Issue Type

Feature Idea

Component Name

ec2_ami

Additional Information

The following tasks fail on CreateTags with a policy created further down

- amazon.aws.ec2_instance_info:
    filters:
      "tag:example.com/myapp": "true"
      instance-state-name: [ "running"]
  register: aws_instances

- amazon.aws.ec2_ami:
    instance_id: "{{ (aws_instances.instances | first).instance_id }}"
    name: myapp
    wait: true
    tags:
      "example.com/myapp": "true"

policy.yml used to set up the IAM permissions from another set of AWS credentials

- community.iam_policy:
    iam_type: user
    iam_user: myapp
    policy_name: ec2
    policy_json:
      Version: "2012-10-17"
      Statement:
        - Sid: Describe
          Effect: allow
          Action: 
            - ec2:DescribeInstances
            - ec2:DescribeImages
          Resource: "*"
        - Sid: Tagging
          Effect: allow
          Action: ec2:CreateTags
          Resource: "arn:aws:ec2:{{ aws_region }}::image/ami-*"
          Condition:
            StringEquals:
              "ec2:CreateAction": CreateImage
              "aws:RequestTag/example.com/myapp": "true"
        - Sid: CreatingImagesFromInstance
          Effect: Allow
          Action: ec2:CreateImage
          Resource:
            - "{{ aws_ec2_arn_prefix }}:instance/*"
          Condition:
            StringEquals:
              "ec2:ResourceTag/example.com/myapp": "true"
        - Sid: CreatingImagesNewImage
          Effect: Allow
          Action: ec2:CreateImage
          Resource:
            - "arn:aws:ec2:{{ aws_region }}::image/*"

If "ec2:CreateAction": CreateImage is removed, it works due to CreateTags api call being used rather than tags passed into the CreateImage api call.

Code of Conduct

  • I agree to follow the Ansible Code of Conduct
@ansibullbot
Copy link

Files identified in the description:

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot ansibullbot added action action plugin feature This issue/PR relates to a feature request module module needs_triage plugins plugin (any type) labels Oct 24, 2021
@tremble
Copy link
Contributor

tremble commented Oct 24, 2021

Hi @andytson,

Thanks for the suggestion, I've attempted to add support with #551. Please note that this will only work when creating an image directly from an instance.

If you're able to test the PR that would be appreciated.

@tremble
Copy link
Contributor

tremble commented Oct 24, 2021

@andytson,

While tag-based permissions may be the right solution for your needs, from experience I'd generally recommend considering the use of multiple AWS accounts rather than relying on tag based permissions. AWS Organizations, sharing subnets between accounts and transit gateways make this much easier than it used to be. My experience with tag-based permissions is that they can get very complicated to maintain in the long run.

ansible-zuul bot pushed a commit that referenced this issue Oct 26, 2021
…stance (#551)

ec2_ami - Tag the image on creation when creating an image from an instance

SUMMARY
Tagging an instance during creation avoids the need to make an additional "tag" call on an untagged resource.
ISSUE TYPE

Feature Pull Request

COMPONENT NAME
ec2_ami
ADDITIONAL INFORMATION
fixes: #550

Reviewed-by: Andy Thompson <None>
Reviewed-by: Mark Chappell <None>
Reviewed-by: Alina Buzachis <None>
Reviewed-by: None <None>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
action action plugin feature This issue/PR relates to a feature request has_pr module module plugins plugin (any type)
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants